Some embodiments provide novel inline switches that distribute data messages from source compute nodes (SCNs) to different groups of destination service compute nodes (DSCNs). In some embodiments, the inline switches are deployed in the source compute nodes datapaths (e.g., egress datapath). The inline switches in some embodiments are service switches that (1) receive data messages from the SCNs, (2) identify service nodes in a service-node cluster for processing the data messages based on service policies that the switches implement, and (3) use tunnels to send the received data messages to their identified service nodes. Alternatively, or conjunctively, the inline service switches of some embodiments (1) identify service-nodes cluster for processing the data messages based on service policies that the switches implement, and (2) use tunnels to send the received data messages to the identified service-node clusters. The service-node clusters can perform the same service or can perform different services in some embodiments. This tunnel-based approach for distributing data messages to service nodes/clusters is advantageous for seamlessly implementing in a datacenter a cloud-based XaaS model (where XaaS stands for X as a service, and X stands for anything), in which any number of services are provided by service providers in the cloud.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
3. The non-transitory machine readable medium of claim 2, wherein the session parameter is a session identifier.
4. The non-transitory machine readable medium of claim 3, wherein the session identifier is provided by the service node and the second data message is a message sent by the service node.
6. The non-transitory machine readable medium of claim 2, wherein the session parameter is a filename and the second data message is a message sent by the SVM.
7. The non-transitory machine readable medium of claim 6, wherein the set of instructions for extracting the filename comprises a set of instructions for extracting the filename from a Uniform Resource Identifier (URI) that is specified in the second data message.
8. The non-transitory machine readable medium of claim 1, wherein the first data message is a request from the SVM to establish a connection session with the service node.
A system and method for managing connection sessions between a service virtual machine (SVM) and a service node in a computing environment. The invention addresses the challenge of efficiently establishing and managing secure communication sessions between virtualized services and backend nodes, ensuring reliable and authenticated interactions. The system includes a non-transitory machine-readable medium storing instructions that, when executed, cause a processor to perform operations for handling data messages exchanged between the SVM and the service node. Specifically, the medium includes instructions for processing a first data message, which is a request from the SVM to establish a connection session with the service node. The system may also include instructions for validating the request, authenticating the SVM, and initiating the session establishment process. Additional instructions may handle session parameters, encryption protocols, and error handling to ensure robust communication. The invention improves session management by streamlining the connection process, reducing latency, and enhancing security in virtualized environments. The solution is particularly useful in cloud computing, distributed systems, and networked applications where secure and efficient service interactions are critical.
9. The non-transitory machine readable medium of claim 1, wherein the set of instructions for establishing a connection session comprises a set of instructions for performing a three-way Transport Control Protocol/Internet Protocol (TCP/IP) handshake with the service node.
A system and method for establishing secure communication sessions between a client device and a service node involves a non-transitory machine-readable medium storing instructions for managing network connections. The medium includes instructions for initiating a connection session with the service node, where the connection process involves performing a three-way TCP/IP handshake. This handshake includes the client device sending a synchronization (SYN) packet to the service node, the service node responding with a synchronization-acknowledgment (SYN-ACK) packet, and the client device acknowledging the connection with an acknowledgment (ACK) packet. The medium also includes instructions for authenticating the client device with the service node, typically using cryptographic methods such as digital certificates or shared keys, to verify the identity of both parties before establishing the session. Once authenticated, the system ensures secure data transmission by encrypting communication using protocols like TLS or SSL. The medium further includes instructions for monitoring the connection for anomalies, such as unexpected disconnections or unauthorized access attempts, and terminating the session if security is compromised. This approach enhances network security by ensuring only authenticated devices can establish and maintain connections with the service node, reducing the risk of unauthorized access or data breaches.
11. The non-transitory machine readable medium of claim 1, wherein the SVM is a virtual machine or a container.
12. The non-transitory machine readable medium of claim 1, wherein the set of instructions for extracting the session parameter comprises a set of instructions for extracting the session parameter from a plurality of datagrams of a plurality of data messages including the second data message, said plurality of datagrams exchanged between the SVM and the service node during the connection session.
14. The non-transitory machine readable medium of claim 1, wherein the set of instructions for selecting the service node comprises a set of instructions for selecting a service node in the service node group based on a set of load balancing criteria and based on stored session parameters.
15. The non-transitory machine readable medium of claim 1, wherein the identified first data message is transmitted by a virtual network interface (VNIC) of the SVM.
19. The method of claim 17, wherein the service processing module identifies the first data message before the data message reaches a software forwarding element on the host computer.
21. The method of claim 20, wherein the subsequent data messages are messages sent by the SCN.
A system and method for managing data communication in a network, particularly in scenarios where a secure communication network (SCN) is involved. The invention addresses the challenge of efficiently handling data messages within a network, especially when the SCN is the source of subsequent data messages. The method involves processing initial data messages and then managing subsequent data messages sent by the SCN. The initial data messages may be received from various sources, and the system determines whether these messages are valid or require further processing. For subsequent data messages originating from the SCN, the system ensures proper routing, encryption, or other security measures to maintain the integrity and confidentiality of the communication. The method may also include steps for verifying the authenticity of the SCN as the sender of the subsequent messages, ensuring that only authorized data is processed. This approach enhances network security and efficiency by streamlining the handling of messages from trusted sources like the SCN. The invention is particularly useful in environments where secure and reliable data transmission is critical, such as military, financial, or government networks.
22. The method of claim 20, wherein the subsequent data messages are messages sent to the SCN.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
August 31, 2015
November 8, 2022
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.